CMMC Compliance Checklist

New requirements (CMMC) for companies that do business with the Department of Defense (DOD).
CMMC Compliance Checklist

The U.S. Congress has recently set new requirements (CMMC) for companies that do business with the Department of Defense (DOD). The company is now required to report any breach of security in their networks to the Department of Homeland Security and be CMMC compliant.

That is an interesting move, as we have all heard of the breaches in many big business networks, which results in the theft of personal information on millions of users. The reason for the change in policy is that it is much easier to get to the source of the breach, as opposed to the compromised information itself.

The DOD has recently had a spate of network security breaches that have compromised the information of individuals, but not the data itself.

The recent case of the Department of Justice (DOJ) and the FBI also highlights the fact that the FBI has access to any information stored in the cloud. This is just one more reason why it is critical for companies to keep an eye on the security of their networks.

What is the CMMC compliance?

CMMC (Cybersecurity Maturity Model Certification) first published in 2020, CMMC will slowly be implemented over the coming five years. CMMC will be a core part of all bidding processes for DoD contracts in the future.

CMMC Compliance Checklist

Access Control

Create user rules of access to all internal networks and systems with a detailed up to date list of users and their privileges within the system.

Asset Management

Know what hardware, software, other technologies have access to the system. Create and document processes from daily backups to disposal of old equipment and destruction of stored data

Audit and Accountability

Track, log and timestamp user access, actions and information contact to CUI assets.

Training and Awareness

Cybersecurity training must be included in all levels of training incorporating how the employee interacts with the CUI data within their role.

Configuration Management

Map all devices and systems which uses and process CUI data.

Identification and Authentication

Unique identification of all users, devices, and every process.

Strong user identification process with a minimum complexity of passwords.

Incident Response

Plan of action for incidents, to detect and contain threats to data

Maintenance

Everything needs maintenance. Create a schedule for systems, hardware, and devices maintenance.

Document system updates and patches to software, hardware, and firmware.

Media Protection

Track all media containing sensitive data and manage the destruction.

Personnel Security

Carry out comprehensive background checks during hiring process.

Physical Protection

Restricted access to the building and all servers. Maintain a detailed list of employees with their access areas.

Recovery

System backup schedules and test environments.

Risk Management

Risk management plan. Scan systems and networks for vulnerabilities and risks.

Security Assessment

Security audit to identify new vulnerabilities and emerging threats.

Situational Awareness

Establish processes to identify new risks and threats to the system.

Track external cybersecurity threats

System and Communications Protection

Define network boundaries, especially with the use of cloud-based systems.

Monitor end-point security.

Information and System Integrity

Up-to-date and patched components and software. Schedule regular updates.

CMMC Levels Certification

There are a number of different levels of compliance. Identify data you will need to use within the contract as it can require different types of compliance.

The National Institute of Standards and Technology (NIST) established NIST 800-172 & NIST 800-171 enhanced security requirements for protecting data government data and incorporated them as part of the certificate.

FCI Federal Contract Information - Data not ever intended for general or public release. You will require CMMC 5 levels certification.

CUI Controlled Unclassified Information - Data is sensitive, but not classified. You will require CMMC 3 Levels certified.

  • CMMC Level 1 - Store federal contact data
  • CMMC Level 2 - Basic level security required to store and process CUI
  • CMMC Level 3 - Controlled Unclassified Information (CUI)
  • CMMC Level 4 -
  • CMMC Level 5 (Highest Level) - Storing extremely sensitive or classified data